From 50819ae0f05d75caf4b2e8632c661b171b0c45f6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 23 Sep 2022 22:11:47 +0200
Subject: [PATCH] *: improve error handling in ldap outpost, ignore additional
 errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/lib/sentry.py               |  3 +++
 authentik/sources/ldap/sync/groups.py |  2 +-
 authentik/sources/ldap/sync/users.py  |  2 +-
 internal/outpost/flow/executor.go     | 18 +++++++++++++++---
 internal/outpost/ldap/entries.go      |  6 ++++++
 web/src/common/sentry.ts              |  1 +
 6 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/authentik/lib/sentry.py b/authentik/lib/sentry.py
index bda251bdf..f79313e69 100644
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -1,4 +1,5 @@
 """authentik sentry integration"""
+from asyncio.exceptions import CancelledError
 from typing import Any, Optional
 
 from aioredis.errors import ConnectionClosedError, ReplyError
@@ -143,6 +144,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
         DockerException,
         # End-user errors
         Http404,
+        # AsyncIO
+        CancelledError,
     )
     exc_value = None
     if "exc_info" in hint:
diff --git a/authentik/sources/ldap/sync/groups.py b/authentik/sources/ldap/sync/groups.py
index a1364ee22..983feb9f5 100644
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@@ -51,7 +51,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     },
                     defaults,
                 )
-            except (IntegrityError, FieldError, TypeError) as exc:
+            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
                     message=(
diff --git a/authentik/sources/ldap/sync/users.py b/authentik/sources/ldap/sync/users.py
index c4ae4869e..2a0edf45b 100644
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@@ -45,7 +45,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 ak_user, created = self.update_or_create_attributes(
                     User, {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
                 )
-            except (IntegrityError, FieldError, TypeError) as exc:
+            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
                     message=(
diff --git a/internal/outpost/flow/executor.go b/internal/outpost/flow/executor.go
index 702bafce5..570e34a06 100644
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@@ -169,7 +169,11 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 	if err != nil {
 		return nil, err
 	}
-	ch := challenge.GetActualInstance().(challengeInt)
+	i := challenge.GetActualInstance()
+	if i == nil {
+		return nil, errors.New("response instance was null")
+	}
+	ch := i.(challengeInt)
 	fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got challenge")
 	gcsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
 	gcsp.SetTag("authentik.flow.component", ch.GetComponent())
@@ -185,7 +189,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	// Resole challenge
 	scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge")
 	responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
-	ch := challenge.GetActualInstance().(challengeInt)
+	i := challenge.GetActualInstance()
+	if i == nil {
+		return false, errors.New("response request instance was null")
+	}
+	ch := i.(challengeInt)
 
 	// Check for any validation errors that we might've gotten
 	if len(ch.GetResponseErrors()) > 0 {
@@ -218,7 +226,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	if err != nil {
 		return false, fmt.Errorf("failed to submit challenge %w", err)
 	}
-	ch = response.GetActualInstance().(challengeInt)
+	i = response.GetActualInstance()
+	if i == nil {
+		return false, errors.New("response instance was null")
+	}
+	ch = i.(challengeInt)
 	fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got response")
 	scsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
 	scsp.SetTag("authentik.flow.component", ch.GetComponent())
diff --git a/internal/outpost/ldap/entries.go b/internal/outpost/ldap/entries.go
index aa6e7b214..f5578578e 100644
--- a/internal/outpost/ldap/entries.go
+++ b/internal/outpost/ldap/entries.go
@@ -11,6 +11,12 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 	dn := pi.GetUserDN(u.Username)
 	attrs := utils.AKAttrsToLDAP(u.Attributes)
 
+	if u.IsActive == nil {
+		u.IsActive = api.PtrBool(false)
+	}
+	if u.Email == nil {
+		u.Email = api.PtrString("")
+	}
 	attrs = utils.EnsureAttributes(attrs, map[string][]string{
 		"memberOf":                      pi.GroupsForUser(u),
 		"goauthentik.io/ldap/active":    {utils.BoolToString(*u.IsActive)},
diff --git a/web/src/common/sentry.ts b/web/src/common/sentry.ts
index d8670907f..175c1a958 100644
--- a/web/src/common/sentry.ts
+++ b/web/src/common/sentry.ts
@@ -24,6 +24,7 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
                 /instantSearchSDKJSBridgeClearHighlight/gi,
                 // Seems to be an issue in Safari and Firefox
                 /MutationObserver.observe/gi,
+                /NS_ERROR_FAILURE/gi,
             ],
             release: `authentik@${VERSION}`,
             tunnel: "/api/v3/sentry/",